The flaw was publicly disclosed by @PythonResponder, who confirmed the issue affected Windows Server 2012 and 2016 versions.
Microsoft will release a patch for my SMB bug next patch tuesday. They had a patch ready 3 months ago but decided to push it back….
— Responder (@PythonResponder) January 30, 2017
The flaw resides in the way the Windows OS handles the Server Message Block traffic, the vulnerability could be remotely exploited by an unauthenticated attacker.
“Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure.” reads the advisory issued by the US-CERT. “By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2.”
The vulnerability was ranked with a Common Vulnerability Scoring System (CVSS) score of 10.0.
The advisory highlights that it is possible to trigger the flaw in multiple ways once a Windows system connects to an SMB share, and some attack scenarios don’t require user interaction.
“Note that there are a number of techniques that can be used to trigger a Windows system to connect to an SMB share. Some may require little to no user interaction,” continues the advisory.
When a vulnerable Windows machine connects to a malicious SMB server, it can crash in mrxsmb20.sys.
The US-CERT confirmed the public availability of the exploit code for this vulnerability and the lack of a practical solution to the problem.
A possible workaround consists in blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.
The proof-of-concept code for this vulnerability has been published on GitHub.
(Security Affairs – Server Message Block, zero-day, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.